This year’s exercise planning working group adopted a deliberate story-driven methodology of scenario development, centered around specific learning objectives. This approach resulted in a dynamic environment where each SP and IdP had different types of incidents to respond to, tied to a coherent narrative:
- Some IdPs reacted to phishing scenarios.
- Others responded to compromised end-user devices.
- Some SPs reacted to hostile destruction of research data scenarios.
- Other SPs dealt with an insider-threat scenario.
As the story unfolded over the multiple days of the script, the IdPs with compromised credentials used Sirtfi to notify the affected SPs’ security teams. SPs practiced taking in multiple inputs from multiple IdPs, managing the unfolding event, and using Sirtfi to notify further affected parties when applicable.
Response from the participants was positive with a shared desire to do another exercise next year. During the feedback session, a continuing theme from last year was that this exercise helped strengthen their organizations’ internal ties between their security teams and identity and access management teams.
Looking Ahead
The Sirtfi Exercise Planning Working Group (SEPWG) plans to reconvene early next year and continue to grow and expand opportunities to practice intra- and inter-federation incident response.
Members of the SEPWG will be guided through the story-driven methodology and have an opportunity to contribute to ‘the cookbook.’ They will also be trained on how to run such an exercise and have an opportunity to be part of the Exercise Control Cell. Organizations contributing time to help on SEWPG will also get priority for their security teams to participate in the capstone tabletop exercise. The planned capstone event will be another distributed tabletop exercise in November 2025.
Kyle Lewis is vice president of cybersecurity strategy at InCommon Catalyst RDCT.
About the Sirtfi Exercise Working Group
The Sirtfi Exercise Working Group prepares members of the InCommon Federation community to handle a federated security incident by conducting one or more tabletop exercises to simulate aspects of responding to the real thing. Exercises are aimed to be learning opportunities, increasing familiarity with and shared understanding of key concepts and practices in the Sirtfi framework. The Sirtfi Exercise Working Group is chartered by the InCommon Community Trust and Assurance Board. Additional information is available on the working group wiki.
ICYMI